Network security is afflicted by two bogeymen, viruses and hackers,” says Justin Peltier, senior security consultant at Peltier Associates. “Everything that goes wrong is blamed on them.”Admittedly, the vast majority of enterprise security problems are caused by errors, inadequate procedures and poor configuration. But those aren’t the kinds of things that really grab the imagination. A Hollywood movie about people misconfiguring a firewall would be very dull indeed. That doesn’t mean that hackers don’t exist and viruses and worms don’t happen. “The damage that can be done by someone who really wants to compromise your systems can be dramatic,” Peltier says. “There is a difference between error and malice, and someone who is malicious enough to attack you, and has the technical expertise to exploit your security, can be very dangerous.” In the strictest sense, a security “exploit” is a program, like a virus or worm, or an intrusion that takes advantage of a bug or vulnerability in your systems. More broadly, it’s what black-hat hackers and other Internet miscreants do. They look for the open windows and back doors into your network so they can test your defenses, joyride on your servers, cause mischief and rob you blind. Make no mistake: your enterprise software, from the network perimeter to your core servers, is not perfect. In the millions upon millions of lines of code that define what your software does, there are bound to be hiccups and tiny flaws that can be turned into an exploit. Just consider the quantity and frequency of operating system and application patches that come out of Redmond, Wash., and you’ll have a pretty fair idea of how many little flaws and vulnerabilities there can be. That’s where an exploit usually starts, says Mark Culphey, senior director of consulting at Foundstone Services, a division of McAfee Inc. “We have a number of vulnerabilities in the Microsoft operating system now,” he says. “The malicious guys will literally take a service pack, decompile it and get right to it before anyone has a chance to install it.” The popular image of the master hacker has been defined largely by Hollywood and by the late-1980s adventures of legendary hackers like Pengo, Kevin Mitnick, the Chaos Computer Club, the Legion of Doom and the Defcon hacker conventions. These were shady, poorly socialized and brilliant young men (rarely women) who spent their nights in the phosphor glow of their computers screens, cracking system after system on the budding Internet. As oddly romantic as the image is, the original source of exploits today is more likely to be like Robert Tappan Morris, the Cornell computer science student who loosed the first worm on the Internet in 1988 and inadvertently brought the Net to its knees. “The Defcon hacker culture is still there, to some extent,” Culphey says. “But more important is this other group of really competent engineers who don’t brag about what they do. “What motivates them is the original idea of hacking; they want to know how things work and they won’t let go until they truly understand the insides of systems,” Culphey says. There’s nothing necessarily malicious about this kind of hacking. Some network security specialists spend their time quietly probing sites and network defenses partly out of professional interest and partly out of a personal impulse to look inside. “The maliciousness of someone who discovers an exploit is not the great evil,” Culphey says. “The danger is the guy who turns it into a self-propagating worm for which there is no patch.” That happens when the exploit finds its way out of the legitimate community of IT and security professionals and into the hands of people who want to crack systems and program worms and viruses. Make no mistake: if someone finds a vulnerability in Windows XP, and codes an exploit for it, it will get around. One of the hard-and-fast rules of the networking world is, “wireheads share stuff.” Even if they’re not particularly malicious, knowledge is power, and even sites like the French Security Incident Response Team at www.frsirt.com feature extensive, publicly accessible archives of exploit code. “It’s a brilliant archive,” Peltier says. “They’re a brilliant bunch of researchers, and they publish three or four times a week.” One of the great ironies, however, is that someone who exploits a vulnerability innocently can leave systems and networks unprotected, Peltier says. “If an attacker is just looking to see if he can get into a system, he usually leaves the hole there,” he says. “If he wants something specific, he’ll close the back door so no one else can get in. They often say, ‘I own this box.’” Most ominous, perhaps, is the zero-day exploit. An exploit is bad enough if it has been documented and a patch is either available or on the way, but a zero-day exploit is a kind of open secret. “It usually means that only a small number of people know about it and it hasn’t been published on the Internet yet,” Peltier says. “Sometimes they stay secret for some time.” At any one time, moreover, there can be quite a few zero-day exploits floating around, only becoming public knowledge when software and network equipment vendors finally come out with a patch, Culphey says. “Historically, vendors haven’t responded well to this,” he says. “People like Microsoft don’t quite acknowledge how much of a problem this can be.” Having said that, for all the apparent menace of the zero-day exploit, it’s the mundane, well-known and documented ones that are most serious. The bottom line is that, the only way to protect against potential exploits is to do your due diligence and keep your systems up to date. “Patching is, obviously, a good idea,” Culphey says. “You have this whole idea of time-to-patch. The narrower you can keep that window, the better-off you’re going to be.” Even more important are basic network precautions. The main reason why systems are exploited is that network administrators haven’t taken the basic precautions. “There is a lot of low-hanging fruit,” Culphey says. “I see hosts without a firewall. No one should be able to get to those ports to exploit the vulnerability in the first place. “I wish I could say that, in this day and age, our penetration tests never get through. They do. Often.” Both Culphey and Peltier muse that, if everyone took the basic precautions, properly configured their equipment and had their architecture worked out, their jobs would be a lot more boring. As it is, they expect it to be pretty interesting for the foreseeable future.